Assessing the Software Security Comprehension of Large Language Models

TL;DR

This paper systematically evaluates the security comprehension of leading large language models using Bloom's taxonomy, revealing strengths in basic tasks but significant weaknesses in reasoning and secure system design.

Contribution

It introduces a comprehensive evaluation framework for LLMs' software security understanding and identifies their knowledge boundaries and misconception patterns.

Findings

LLMs perform well on basic recall and recognition tasks.

Performance drops significantly on higher-order reasoning tasks.

Identified 51 recurring misconception patterns across models.

Abstract

Large language models (LLMs) are increasingly used in software development, but their level of software security expertise remains unclear. This work systematically evaluates the security comprehension of five leading LLMs: GPT-4o-Mini, GPT-5-Mini, Gemini-2.5-Flash, Llama-3.1, and Qwen-2.5, using Blooms Taxonomy as a framework. We assess six cognitive dimensions: remembering, understanding, applying, analyzing, evaluating, and creating. Our methodology integrates diverse datasets, including curated multiple-choice questions, vulnerable code snippets (SALLM), course assessments from an Introduction to Software Security course, real-world case studies (XBOW), and project-based creation tasks from a Secure Software Engineering course. Results show that while LLMs perform well on lower-level cognitive tasks such as recalling facts and identifying known vulnerabilities, their performance degrades significantly on higher-order tasks that require reasoning, architectural evaluation, and secure system creation. Beyond reporting aggregate accuracy, we introduce a software security knowledge boundary that identifies the highest cognitive level at which a model consistently maintains reliable performance. In addition, we identify 51 recurring misconception patterns exhibited by LLMs across Blooms levels.